To see what could be found researchers built a tool they call PlayDrone, which leverages common hacking techniques to easily circumvent security measures preventing indexing Google Play store content. It stores each application’s metadata and decompiled sources in a Git repository. And it uses the Elasticsearch distributed real-time search and analytics engine using an indexing schema based on the Google Play store API to analyze and explore the Google Play store metadata and content.

In addition to finding 25 per cent of Google Play store apps are duplicative (how many versions of Solitaire does the world need?) including various types of spam, application rebranding, and application cloning, the data found something else: developers that have stored secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation.

“These keys can be used by malicious users to steal server resources or user data available through services such as Amazon Web Services (AWS) or Facebook,” their paper says. ”

Unlike compromised applications that only affect users who download and run them, these server vulnerabilities affect users without even running the applications. Our results demonstrate developer confusion may subvert the effectiveness of the widely used OAuth open source standard for authentication.”

Google has been given code to help it scan for such vulnerabilities and service providers have been alerted to prevent attacks using the exploit.

It isn’t clear if coders who write Android apps are lazy, or if the same vulnerability is in iOS, Windows Phone or BlackBerry apps.

Either way, the research can be another reason why IT pros say no to Android on their networks.

But also now every IT and developer shop should also be alert to the dangers of embedding authentication keys in client apps.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.